U.S. DOJ Charges 54: ATM Jackpotting Scheme Tied to Venezuelan Terrorist Organization

| Editorial Team
10

U.S. DOJ Charges 54 in ATM Jackpotting Scheme Using Ploutus Malware

The U.S. Department of Justice has indicted 54 individuals in connection with a multi-million dollar ATM jackpotting operation that used specialized malware to force cash machines across the country to dispense money. The defendants, allegedly linked to Venezuelan gang Tren de Aragua, face up to 335 years in prison if convicted.

Federal prosecutors claim the criminal organization stole approximately $40.73 million through 1,529 jackpotting incidents since 2021, with proceeds allegedly funding terrorist activities. The scheme involved sophisticated reconnaissance, physical tampering of ATMs, and deployment of Ploutus malware that represents one of the most dangerous types of financial malware to commandeer cash dispensing mechanisms while covering their tracks.

How the ATM jackpotting operation worked

The sophisticated criminal enterprise required both technical expertise and physical access to ATMs. According to the Justice Department, the operation followed a methodical approach:

First, recruited operatives would conduct surveillance of potential ATM targets, assessing external security measures and determining if they could access the machine's internal components without triggering alarms or law enforcement response.

Once a suitable target was identified, the attackers would physically break into the ATM's upper compartment using master keys or lock-picking techniques. They would then either replace the entire hard drive with one preloaded with Ploutus malware or connect a thumb drive to install the malicious software.

"These defendants employed methodical surveillance and burglary techniques to install malware into ATM machines, and then steal and launder money from the machines, in part to fund terrorism and the other far-reaching criminal activities of TDA, a designated Foreign Terrorist Organization," said Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department's Criminal Division.

The malware was specifically designed to interface with the Cash Dispensing Module of ATMs, enabling unauthorized commands to force currency withdrawals. Importantly, Ploutus also contained self-concealing features to delete evidence of its presence, misleading bank employees and hindering investigation efforts.

After successfully extracting cash, the conspirators would divide the proceeds according to predetermined arrangements, with significant portions allegedly funneled to Tren de Aragua leadership.

The terrorist connection and broader implications

The indicted members are allegedly affiliated with Tren de Aragua (TdA), which translates to "the train of Aragua" in Spanish. The organization was designated as a foreign terrorist organization by the U.S. State Department.

Earlier this year, in July 2025, the U.S. government imposed sanctions against the group's leader, Hector Rusthenford Guerrero Flores (also known as "Niño Guerrero"), along with five key associates. These sanctions cited their involvement in numerous criminal activities including:

  • Illicit drug trade
  • Human smuggling and trafficking
  • Extortion
  • Sexual exploitation of women and children
  • Money laundering

U.S. Attorney Lesley Woods emphasized the serious nature of the funding operation, stating: "Many millions of dollars were drained from ATM machines across the United States as a result of this conspiracy, and that money is alleged to have gone to Tren de Aragua leaders to fund their terrorist activities and purposes."

This case highlights the increasingly complex intersection between cybercrime and terrorism financing, demonstrating how comprehensive cybersecurity risk assessments must now account for both technical vulnerabilities and potential connections to organized crime. Financial institutions must recognize that ATM security isn't merely about protecting assets but also preventing their systems from becoming conduits for terrorist funding.

Details of the indictments

The Justice Department's case involves two separate but related indictments:

The first indictment, returned on December 9, 2025, charges 22 individuals with bank fraud, burglary, and money laundering in connection with the jackpotting scheme.

A second indictment from October 21, 2025, names 32 additional individuals. These defendants face more extensive charges including:

  • One count of conspiracy to commit bank fraud
  • One count of conspiracy to commit bank burglary and computer fraud
  • 18 counts of bank fraud
  • 18 counts of bank burglary
  • 18 counts of damage to computers

The penalties for these crimes are severe. If convicted, defendants could face a maximum of between 20 and 335 years in federal prison, effectively life sentences for those found guilty of multiple charges.

The evolution of Ploutus malware

The Ploutus malware at the center of this scheme has a long history in cybercriminal circles, having first emerged in Mexico in 2013. Its sophistication has grown over time.

In 2014, cybersecurity firm Symantec published a report detailing how the malware could be deployed against Windows XP-based ATMs. In these early versions, criminals could trigger cash withdrawals simply by sending SMS commands to compromised machines – a technique that allowed criminals to avoid physically returning to the ATM.

By 2017, FireEye (now part of Google Mandiant) documented an advanced version called Ploutus-D. This iteration had expanded compatibility with various Windows versions and specifically targeted Diebold ATMs, a common brand in the banking industry.

"Once deployed to an ATM, Ploutus-D makes it possible for a money mule to obtain thousands of dollars in minutes," FireEye explained at the time. "A money mule must have a master key to open the top portion of the ATM (or be able to pick it), a physical keyboard to connect to the machine, and an activation code (provided by the boss in charge of the operation) in order to dispense money from the ATM."

This latest case demonstrates how criminal organizations continue to adapt and enhance these tools for their financial operations. The technical evolution of Ploutus showcases why financial institutions must stay ahead of emerging threats through constant security updates and employee training.

How to protect against ATM jackpotting

For financial institutions and businesses operating ATMs, this case highlights the critical importance of implementing robust security measures. Here are key protective steps that can help prevent similar attacks:

  1. Physical security enhancements: Install tamper-evident seals and improved locking mechanisms on ATM access points. Consider video surveillance specifically focused on the ATM's upper compartment.

  2. Software hardening: Ensure ATMs run on supported, up-to-date operating systems with the latest security patches. Windows XP-based systems are particularly vulnerable.

  3. Network monitoring: Implement systems that detect unusual commands or traffic patterns that might indicate compromise attempts.

  4. Advanced malware protection: Deploy specialized security solutions designed to detect and prevent ATM-specific malware using advanced detection techniques beyond standard malware removal tools.

  5. Regular penetration testing: Conduct scheduled security assessments specifically targeting ATM vulnerabilities to identify potential weaknesses before criminals can exploit them.

Banks should also educate employees about the warning signs of tampering and establish clear response protocols for suspected jackpotting attempts. This should include documenting unusual behavior around ATMs, recognizing signs of physical tampering, and implementing rapid response procedures when suspicious activity is detected.

The broader impact

This case represents one of the largest coordinated strikes against ATM jackpotting in U.S. history and demonstrates the evolving nature of the threat landscape where physical security and cybersecurity increasingly overlap.

For consumers, while individual bank accounts aren't directly targeted in jackpotting schemes, these crimes ultimately impact banking costs and can potentially affect ATM availability in high-risk areas.

The case also highlights the continuing challenge financial institutions face in balancing customer convenience with security. ATMs need to be accessible yet protected against increasingly sophisticated attack methods that combine technical expertise with physical access.

As the case progresses through the judicial system, it will likely provide valuable insights into criminal methodologies that can help banks and ATM operators strengthen their defenses against similar future attacks. Law enforcement agencies worldwide are closely monitoring these developments, as the techniques employed by Tren de Aragua could be adopted by other criminal organizations globally, according to a recent report by the Financial Action Task Force.

The international dimension of this case cannot be understated – with connections to terrorist organizations and sophisticated technical capabilities, this represents a new frontier in the convergence of cybercrime and international terrorism that will require unprecedented cooperation between financial institutions, technology providers, and law enforcement agencies across borders.

Editorial Team
You might also like

Chinese Hackers Target SentinelOne: Insights on State-Sponsored Cyber Espionage…

Types of Social Media Content: Exploring Social Media Content That Engage and Convert

How to Write Amazing eBay Listing Titles and Descriptions

Google’s New AI Content Detection: Addressing Misinformation in the Gemini App

Using Technology to become HIPAA Compliant

Why your Monitor Keeps Going Black for a Second, and What you need to do to Fix it